Date: Thu, 24 Jun 2004 15:59:12 +0800 (CST) From: Xin LI <delphij@frontfree.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: cyrille.lefevre@laposte.net Subject: ports/68268: [PATCH] SECURITY UPDATE isc-dhcp3-server to 3.0.1rc14 Message-ID: <20040624075912.81B03115DA@beastie.frontfree.net> Resent-Message-ID: <200406240800.i5O80iSc096550@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 68268
>Category: ports
>Synopsis: [PATCH] SECURITY UPDATE isc-dhcp3-server to 3.0.1rc14
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 24 08:00:43 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Xin LI
>Release: FreeBSD 5.2-delphij i386
>Organization:
The FreeBSD Simplified Chinese Project
>Environment:
System: FreeBSD beastie.frontfree.net 5.2-delphij FreeBSD 5.2-delphij #78: Mon Jun 21 23:19:51 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386
>Description:
The attached patch upgrades isc-dhcp3-server to 3.0.1rc14, which is a
security update. An vuxml entry should be added to warn users about
the vulnerablities found in isc-dhcp3-server 3.0.1rc12 - 3.0.1rc13.
Maintainer, please review my patch and consider approving it, thanks
in advance!
According to US-CERT Technical Cyber Security Alert TA04-174A -- MultipleVulnerabilities in ISC DHCP 3:
Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a
denial of the DHCP service on a vulnerable system. It may be possible
to exploit these vulnerabilities to execute arbitrary code on the
system.
>How-To-Repeat:
>Fix:
Apply the attached patch, then remove zero-sized file (files/patch-freebsd)
--- patch-isc begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/net/isc-dhcp3-server/Makefile,v
retrieving revision 1.96
diff -u -r1.96 Makefile
--- Makefile 18 Jun 2004 07:40:43 -0000 1.96
+++ Makefile 24 Jun 2004 07:41:32 -0000
@@ -7,8 +7,7 @@
#
PORTNAME= dhcp
-PORTVERSION= 3.0.1.r12
-PORTREVISION= 3
+PORTVERSION= 3.0.1.r14
CATEGORIES= net
MASTER_SITES= ${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR= dhcp dhcp/dhcp-3.0-history
@@ -113,7 +112,7 @@
BIN_FILES= dhcrelay
RC_FILES= isc-dhcrelay
.endif
-DOC_FILES= ANONCVS CHANGES COPYRIGHT README RELNOTES
+DOC_FILES= LICENSE README RELNOTES
SAMP_SUFX= .sample
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/net/isc-dhcp3-server/distinfo,v
retrieving revision 1.46
diff -u -r1.46 distinfo
--- distinfo 11 Mar 2004 13:03:53 -0000 1.46
+++ distinfo 24 Jun 2004 07:33:25 -0000
@@ -1,2 +1,2 @@
-MD5 (dhcp-3.0.1rc12.tar.gz) = cf00193dcf349c888a62e4462ae1eb9c
-SIZE (dhcp-3.0.1rc12.tar.gz) = 857323
+MD5 (dhcp-3.0.1rc14.tar.gz) = a68074d9ebdeb355c293d9b3645b3c2c
+SIZE (dhcp-3.0.1rc14.tar.gz) = 842712
Index: pkg-message
===================================================================
RCS file: /home/ncvs/ports/net/isc-dhcp3-server/pkg-message,v
retrieving revision 1.5
diff -u -r1.5 pkg-message
--- pkg-message 1 Jun 2004 13:34:27 -0000 1.5
+++ pkg-message 24 Jun 2004 07:48:28 -0000
@@ -9,9 +9,9 @@
dhcpd_conf="%%PREFIX%%/etc/dhcpd.conf" # configuration file
dhcpd_ifaces="" # ethernet interface(s)
-**** For instance, rc.conf like variables are still read from %%PREFIX%%\
- /etc/rc.isc-dhcpd.conf. They should be move into /etc/rc.conf. Also,
- the dhcpd_options variable must be renamed dhcpd_flags.
+**** For instance, rc.conf like variables are still read from
+ %%PREFIX%%/etc/rc.isc-dhcpd.conf. They should be move into /etc/rc.conf.
+ Also, the dhcpd_options variable must be renamed dhcpd_flags.
**** If compiled with paranoia support (the default), the following options
are also supported:
Index: pkg-plist
===================================================================
RCS file: /home/ncvs/ports/net/isc-dhcp3-server/pkg-plist,v
retrieving revision 1.27
diff -u -r1.27 pkg-plist
--- pkg-plist 16 Mar 2004 20:31:15 -0000 1.27
+++ pkg-plist 24 Jun 2004 07:44:01 -0000
@@ -3,9 +3,7 @@
etc/dhcpd.conf.sample
etc/rc.d/isc-dhcpd.sh
sbin/dhcpd
-%%PORTDOCS%%%%DOCSDIR%%/ANONCVS
-%%PORTDOCS%%%%DOCSDIR%%/CHANGES
-%%PORTDOCS%%%%DOCSDIR%%/COPYRIGHT
+%%PORTDOCS%%%%DOCSDIR%%/LICENSE
%%PORTDOCS%%%%DOCSDIR%%/README
%%PORTDOCS%%%%DOCSDIR%%/RELNOTES
%%PORTDOCS%%@dirrm %%DOCSDIR%%
Index: files/patch-Makefile.dist
===================================================================
RCS file: /home/ncvs/ports/net/isc-dhcp3-server/files/patch-Makefile.dist,v
retrieving revision 1.1
diff -u -r1.1 patch-Makefile.dist
--- files/patch-Makefile.dist 17 Jan 2004 23:09:02 -0000 1.1
+++ files/patch-Makefile.dist 24 Jun 2004 07:33:56 -0000
@@ -1,25 +1,8 @@
---- Makefile.dist.orig Fri Nov 8 00:10:08 2002
-+++ Makefile.dist Tue Apr 29 00:07:43 2003
-@@ -3,13 +3,13 @@
- # Copyright (c) 1996-2002 Internet Software Consortium.
- # Use is subject to license terms which appear in the file named
- # ISC-LICENSE that should have accompanied this file when you
--# received it. If a file named ISC-LICENSE did not accompany this
-+# received it. If a file named ISC-LICENSE did not accompany this
- # file, or you are not sure the one you have is correct, you may
- # obtain an applicable copy of the license at:
- #
--# http://www.isc.org/isc-license-1.0.html.
-+# http://www.isc.org/isc-license-1.0.html.
- #
--# This file is part of the ISC DHCP distribution. The documentation
-+# This file is part of the ISC DHCP distribution. The documentation
- # associated with this file is listed in the file DOCUMENTATION,
- # included in the top-level directory of this release.
- #
-@@ -17,47 +17,200 @@
- # http://www.isc.org for more information.
- #
+--- Makefile.dist.orig Fri Jun 11 01:59:10 2004
++++ Makefile.dist Thu Jun 24 15:33:16 2004
+@@ -22,47 +22,200 @@
+ # http://www.isc.org/
+
-SUBDIRS= common $(MINIRES) dst omapip server client relay dhcpctl
+COMMON_SUBDIRS= common
Index: files/patch-freebsd
===================================================================
RCS file: files/patch-freebsd
diff -N files/patch-freebsd
--- files/patch-freebsd 16 Mar 2004 20:31:15 -0000 1.9
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,75 +0,0 @@
---- client/scripts/freebsd.orig Sun Apr 27 21:44:01 2003
-+++ client/scripts/freebsd Wed Mar 3 02:28:29 2004
-@@ -16,7 +16,7 @@
- ( echo search $new_domain_name >/etc/resolv.conf )
- exit_status=$?
- else
-- rm /etc/resolv.conf
-+ ( rm /etc/resolv.conf )
- exit_status=$?
- fi
- if [ $exit_status -ne 0 ]; then
-@@ -32,17 +32,17 @@
- # Must be used on exit. Invokes the local dhcp client exit hooks, if any.
- exit_with_hooks() {
- exit_status=$1
-- if [ -f /etc/dhclient-exit-hooks ]; then
-- . /etc/dhclient-exit-hooks
-+ if [ -f %%PREFIX%%/etc/dhclient-exit-hooks ]; then
-+ . %%PREFIX%%/etc/dhclient-exit-hooks
- fi
- # probably should do something with exit status of the local script
- exit $exit_status
- }
-
- # Invoke the local dhcp client enter hooks, if they exist.
--if [ -f /etc/dhclient-enter-hooks ]; then
-+if [ -f %%PREFIX%%/etc/dhclient-enter-hooks ]; then
- exit_status=0
-- . /etc/dhclient-enter-hooks
-+ . %%PREFIX%%/etc/dhclient-enter-hooks
- # allow the local script to abort processing of this state
- # local script must set exit_status variable to nonzero.
- if [ $exit_status -ne 0 ]; then
-@@ -51,11 +51,11 @@
- fi
-
- if [ x$new_network_number != x ]; then
-- $LOGGER New Network Number: $new_network_number
-+ $LOGGER "New Network Number: $new_network_number"
- fi
-
- if [ x$new_broadcast_address != x ]; then
-- $LOGGER New Broadcast Address: $new_broadcast_address
-+ $LOGGER "New Broadcast Address: $new_broadcast_address"
- new_broadcast_arg="broadcast $new_broadcast_address"
- fi
- if [ x$old_broadcast_address != x ]; then
-@@ -71,6 +71,15 @@
- alias_subnet_arg="netmask $alias_subnet_mask"
- fi
-
-+# Get the interface to which our default route is bound to.
-+if [ -x /usr/bin/netstat ]; then
-+ if_defaultroute=`/usr/bin/netstat -rn \
-+ | /usr/bin/grep "^default" \
-+ | /usr/bin/awk '{print $6}'`
-+else
-+ if_defaultroute=""
-+fi
-+
- if [ x$reason = xMEDIUM ]; then
- eval "ifconfig $interface $medium"
- eval "ifconfig $interface inet -alias 0.0.0.0 $medium" >/dev/null 2>&1
-@@ -113,7 +122,10 @@
- eval "ifconfig $interface inet -alias $old_ip_address $medium"
- route delete $old_ip_address 127.1 >/dev/null 2>&1
- for router in $old_routers; do
-- route delete default $router >/dev/null 2>&1
-+ if [ x$if_defaultroute = x ] || [ x$if_defaultroute = x$interface ]
-+ then
-+ route delete default $router >/dev/null 2>&1
-+ fi
- done
- if [ -n "$old_static_routes" ]; then
- set -- $old_static_routes
--- patch-isc ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040624075912.81B03115DA>